GDPR and the ethical use of data

Ian Smith, Financial Director and General Manager at Invu explains how GDPR will promote a more ethical use of data among businesses, and outlines the penalties facing those which fail to comply.

Shares

GDPR is essentially about two things, the ethical use of personal data and keeping that personal data secure. The regulation aims to put the individual back in control of their data and establishes six principles, one of which covers security, to be followed by those who store or use personal data.

Modern business is built on data, with companies regularly compiling information on their customers’ buying habits, browsing history, even financial data.

This regular surrender of information has become second nature to today’s consumer, with most thinking nothing of handing over their privacy rights, and giving up personal information, like their contact details and date of birth, in exchange for receiving updates on products, or for the chance to get the latest weekly deal.

Current best practice would require that more thought needs to be put into this process, requiring companies to make it easier for individuals to understand how this data will be used for and, importantly, what steps businesses are taking to keep that information secure.

There is always a risk where customer data is involved, and the constant headlines of cyberattacks and malware scams give the impression that it is not so much if someone will try to get hold of our data as much as when they will try to get it.

Whether this is financial data held by a bank, commercial information held by a retailer, or sensitive personal information held by the health service, the cost of a data breach can be high. Of course, regulations such as the Data Protection Act (DPA) already exist in the UK, offering protection and safeguards against data loss or access.

The DPA will be significantly upgraded in May 2018. A new EU wide law, the General Data Protection Regulation (GDPR) will further strengthen data privacy requirements, widening the scope of what is considered to be personal information and enforcing much stricter policies on what information businesses are allowed to collect on individuals, along with putting more pressure on them to keep this information secure. The entity acquiring the data, the data controller, and any entity processing the data, the processor, will have to follow the principles.

One of the elements of GDPR that should gain the attention of businesses, is the scale of the fines. These raise from the DPA maximum of up to £500,000 to, in certain circumstances, maximum financial penalties of up to 4 per cent of the annual global turnover, or up to €20m (whichever is higher) faced by any company that breaches the rules under GDPR.

As an example of how much more substantial this is, research by NCC Groupn showed that if GDPR had been enforced in 2016, the size of the fines handed out by the Information Commissioner’s Office to companies in breach of data rules would have been £69m, rather than £880,500.

Despite the Brexit decision, UK businesses will still have to adhere to GDPR and face heavy penalties if they are found to fall short. Even after the UK leaves the EU, the recently unveiled Data Protection Bill will ensure the legislation effectively remains in place for domestic businesses.

Also, any company in the world which does hold information on EU citizens will be forced to comply with GDPR. Entities operating outside the EU, often hold assets (like subsidiaries) within the EU and these will be exposed to the fines.

GDPR is designed to protect personal data and sensitive personal data such as political views, medical details, passport or ID document scans.

It is also designed to restrict the ease with which businesses and organisations can collect data for one purpose, and then continue using it long into the future.

Privacy notices will have to be much easier to understand, businesses will no longer be able to make these so complex that individuals just click through them understanding neither what access to their personal information they are granting, nor how it is to be used.

Ethical use of data

When it comes to information, businesses are sat on a goldmine of personal data which enables them to create detailed and actionable profiles of their customers. As well as changing the way this data is collected and handled, GDPR will also put more pressure on businesses to ensure that data is protected and secure from cradle to grave.

When considered in the cold light of day, GDPR forces all businesses to follow a strict code of ethics to collect, manage and store personal data. It has been designed to put the control of personal data back in the hands of the individual. The right to be forgotten, amongst others, has been enhanced under GDPR, so it is worth re-visiting your procedures to make sure you’re protected.

What about hackers and cyber-crime?

Illegal access to information will not cease, rather it will continue to grow while consumer confidence in secure data storage is diminishing. High profile cases of data loss, including the theft of 38 million account details from Adobe, the compromising of 20,000 bank accounts when details were held with Tesco and the hacking of one billion Yahoo email accounts, do nothing to reassure customers that their information is safe.

Data is power and blocking access to that data can bring businesses to a grinding halt, as experienced with the WannaCry Ransomware attack. Businesses need to reassure customers and partners that information is secured to the greatest possible degree.

What should you do?

Any organisation that processes, manages or has built their business on the back of third party data needs to understand GDPR and adhere to its regulations.

This includes managing documents to ensure they know what data they hold and where it is, as well as defining explicitly who can access the information and how it can be used.

It will become more important than ever that businesses ensure any document management is efficient and that any access and audit controls are established to ensure compliance with GDPR.